Exploiting Weak Crypto on Car Key Fobs

[tomwimmenhove] has found a vulnerability in the cryptographic algorithm that is used by certain Subaru key fobs and he has open-sourced the software that drives this exploit. All you need to open your Subaru is a RasPi and a DVB-T dongle, so you could complain that sharing this software equates to giving out master keys to potential car thieves. On the other hand, this only works for a limited number of older models from a single manufacturer — it’s lacking in compatibility and affordability when compared to the proverbial brick.

This hack is much more useful as a case study than a brick is, however, and [tomwimmenhove]’s work points out some bad design on the manufacturer’s side and as such can help you to avoid these kind of mistakes. The problem of predictable keys got great treatment in the comments of our post about an encryption scheme for devices low in power and memory, for instance.

Those of you interested in digital signal processing may also want to take a look at his code, where he implements filtering, demodulation and decoding of the key fob’s signal. The transmission side is handled by rpitx and attacks against unencrypted communications with this kind of setup have been shown here before. There’s a lot going on here that’s much more interesting than stealing cars.

Post navigation

55 thoughts on “Exploiting Weak Crypto on Car Key Fobs”

“so you could complain that sharing this software equates to giving out master keys to potential car thieves. On the other hand, this only works for a limited number of older models from a single manufacturer ”

This in no way helps or comforts those people, who through no fault of their own, would be burglarized because of this being open sourced. White hat hacking is something that is needed to improve security, but it is irresponsible to put things like this out in the wild and to promote them. These people have no way to upgrade their Key FOBs and protect themselves.

Shame on you hack-a-day for your irresponsibility in promoting this. I hope your poor justification helps you sleep at night.

Besides, don’t you still need to hotwire the car or to use the actual key to start it? Seems like a lot of effort to steal an older car: find a specific year-model of Subaru, use RPi to unlock the doors, then proceed to hotwire it and… profit maybe a few hundred bucks?

The affected models aren’t that old. Also note that it requires that you be present when an owner locks or unlocks. But you could probably fairly easily set it up to automatically retransmit an “unlock” code on a time delay from when any “lock” code is seen… Which would allow you to ensure that any fob-locked Subaru in the area was unlocked.

I unfortunately own one of the affected vehicles – the mitigation (don’t use the fob to lock the vehicle) will be a PITA. Of course I’ve been better about not keeping anything visible in the vehicle lately – this attack isn’t useful for taking the car, only its contents.

The big question is – whether or not Subaru actually upgraded their rolling code scheme with the next gen of Outbacks. If Gen4 Outbacks are also affected in addition to Gen3 this becomes very bad news.

Yup, I also own one of the affected vehicles, and it is also the first car I bought that had a key FOB. I was a bit irritated to find out that if you use the physical key to unlock the doors, the car alarm goes off. This means you are stuck using the key fob. I am hoping there is some easy-ish way to disable the alarm-sounds-when-using-key feature, and this may prompt me to search a bit harder…….

Oh, right, I hadn’t thought of that. I’m not in the habit of ever leaving anything actually worth anything in my car, so it just didn’t occur to me that some people do and in that respect I do see why this is worse than I assumed.

I can’t reply directly to @JoeP’s comment – in your case, still needing to hit “unlock” isn’t that bad because unless an attacker is specifically targeting you and following you around – your vehicle is already unlocked AND you’re present so if an attacker unlocks it when you’re entering, they gain nothing. It’s using the fob to lock when leaving the car that is problematic – now an attacker could leave a device in a parking lot that will unlock a vehicle 5 minutes after it is locked – e.g. more than enough time for the owner to have walked away.

I agree with “you can’t just hotwire a car” like the old days e.g. cut wires and make sparks like in the movies. But you can rock in with a programmer, match a new key to the car and drive away in a minute or two. No cut wires, no broken windows, no smashed ignition, just car be gone.

I can only speak from my experience with Ford, but they actually have(d) 6 key memory spaces in the memory. The tech that keyed my car did what the above poster said, just hooked the computer to the port and cloned it. Not my bag so I can’t really offer specifics other than it is probably easy to pick up a similar system on Ebay. The cloning of the key/fob and registering it with the truck took less than two minutes from beginning to end.

That said, I do agree with the folks saying this is a bit cavalier to release in the wild. The main hurdle of security seems to be able to afford the programmer, which this makes waaaay more cheap/easy. Then again, you can still char a “valet” key that gets you in the car to have physical access or yes even a brick to the window as others suggest. Although driving around with a busted window is a red flag. Kinda like how cops used to look for the “halfway down rear window” on cars in the 90s when folks used to just knock all the mechanics off track to get into the car thru the window with a shitty slim jim lol.

My only security system is that my truck is old as hell and has a transmission that has to be babied. Unless Hank Hill steals it, they aren’t getting too far. Hopefully the thief wrecks and totals it out so I can get something decent though insurance will probably f me in the a.

I have an 07 Legacy (likely affected by this); and I have to say that I am happier knowing that this exists. Knowledge like this, once discovered, has a habit of spreading no matter how hard you try to stop it. At least since I know about it, I can try to mitigate it. Also it is a good thing to shame lazy manufacturers who assume that this is an OK security hole to have.

You might what the take pause and consider how many professional car thieves are capable of developing hacks like this that do not post sites like this. There are crews operating globally, every day that can steal almost any model of car on the market using a wide range of ‘styles’. Yes some will read items like this, but I would not want to put money on this being the only exploit they know about. This is not about comforting the owners of some 2005-2010 Subaru models (which are already a very commonly stolen car where I live), it has a much deeper purpose than that.

Indeed, completely agree. We should leave this hidden so only the car thieves know about it so the average tinker doesn’t accidentally burglarize his neighbors car. Plus it hurts the auto industry every time someone publishes one of these hacks. How unamerican is that!? We shouldn’t be pushing the auto manufacturers to fix their crap, we should be burying any public information on it so auto manufacturers and burgles are able to maintain their businesses without disruption. The nerve of people!

Well pretty much every keyless entry fob of the kind where the door unlocks when you get near it is vulnerable to some form of the man in the middle attack.
The kind where you have to push a button to unlock the doors is much more secure as the foot print is much smaller as it’s not constantly constantly looking to make a handshake.
Keyless entry and push button start are one of those situations where you trade some security for convenience.

That said a simple fix to greatly reduce the attack footprint from 24/7 to just a few seconds or minutes might be to make the fob only go live when a button on it is pushed or even add a hardware switch to switch off the radio or even the battery when it’s not in use.

I quickly read through the code. Subaru basically had no protection at all in this system. They just sent an incrementing number as the rolling code with a 4-bit checksum. Looks like this “hack” could be even more easily or inexpensively implemented in a micro/RF chip like the TI CC1010 or Atmel ATA8210 or any micro talking to a pair of those inexpensive and ubiquitous 433 MHz modules.

The project grew out of me playing around with radio waves and trying to write my first demodulator :) Using a CC1101 and some cheap micro would’ve made it much easier and, as you pointed out, cheaper. Simplicity-wise, however, this implementation wins, hands down. All the required soldering is a piece of wire to a GPIO pin on the rPi.

The way responsible disclosure is SUPPOSED to work, you tell the company responsible FIRST and release the details to the world after the company has tried to fix it (or refused). Publishing the code before a patch is a dangerous last resort that should only be used to force the company to fix the flaw after they’ve refused, and it can get you in legal trouble. Did he at least contact Subaru before open-sourcing his code?

These methods have been in the burglary world for years. BMWs dispensary in Central Florida all the time using repeaters. Bastards steal them direct from the dealerships sometimes. I guarantee burgles in your area probably already had a way to steal your car for the past couple of years. Your car just hadn’t been targeted yet.

Russian hackers employed by “russian mafia” in particular put a lot of effort into cracking luxury car security as soon as a new system comes on the market. Then even though the manufacturers know that their top end models are being stolen to order for resale in other countries, they go and use the same system on their cheaper models a couple of years later.

Anyway, in discussion linked from article, that’s what I meant, if you actually look into it, MOST key fobs have been cracked, or have serious vulnerabilities.

Yes, I did. They told me to submit a partnership questionnaire, which I also did. After that, I didn’t hear from them for over 2 weeks, at which point I released the code. Only THEN they got back to me, saying “no thanks”.

That’s a Forester SH, third generation, built 2009-2013. 12k€ for one registered in ’09 and a diesel engine was the cheapest i could find right now. At least 15k€ for one with a gasoline engine.
My 16 freaking year old 1st gen SF is in a better state than this guys car, because he just doesn’t care about it.

Generally, what can owner of a car do when an exploit such as this becomes public? Install an additional not-yet-compromised after market remote command system for the central lock, in series with existing one? And we know for sure that access control systems “rot” with time. With computers, even old ones (unless they are closed source beyond support period), we upgrade security-critical software. What can we do for cars?

Perhaps authentication function should be a plug-in upgradeable module with universal interface which we periodically change as old ones become insecure. Perhaps that module should be as universal as possible – consist of a SBC board and a DVB-T dongle (just like attackers’ equipment), and we should buy on the market key fobs with best publicly scrutinized authentication scheme which can be implemented on our universal receiver.

Yeah, that will be hilarious. Some dope will come up with the idea of calling them in for service in the middle of the night so owners aren’t inconvenienced, and all the thieves have to so is some GPS spoofing so they’re waiting with covered trucks in a lot up the street… that’s if they can’t screw directly with cellular control of them with a stingray or micro cell type device.

When I worked as a auto locksmith. I could cut a key for any brand car via vin located on dash of any year and program it along with keyless in less then 10 mins and on most cars under 5 mins total. You could capture the rke and replay the open command on most all brand cars with ease with the same tools.